Partners

Secure Firewall Policy: the do’s and don’ts

Creating and maintaining a secure rulebase

Blog by Linus Raes, senior consultant at SecureLink

A secure network has a firewall in place to regulate the traffic. It usually is the first line of defense put in place, however like everything in the security landscape, the tool itself is only as good as the person handling the technology, and the process that guides it.

In this short blog, I would like to highlight some basic do and don’ts for creating and maintaining a secure firewall policy to protect your environment.

1) Documentation

Most security policies are very basic in the beginning but extend with time. That is because IT teams, as well as business needs change and the IT landscape evolves. To keep track of the global picture, it is recommended to document your security.

This can be done by:

Adding policy owners and project owners. Connecting the business to your security, can help you with reviewing your rulebase in a later stage.

Add descriptions or tags to policies. Use section titles or more dynamic categories to keep relevant policies grouped. This gives you and overview of all policies and keeps you from creating duplicate or obsolete policies.

2) Logging

Logging is critical to ensure your firewall runs smoothly, to keep an eye on what is happening on the network and to support security analysis & compliance requirements. The GDPR enforces you to explain what/how a data breach happened. Logs should be collected and stored centrally so that they can be queried in a timely and efficient manner, and in order for alerts to be developed which will inform well-defined security ‘Use Cases’.

Keep in mind that:

Create an explicit block policy which denies all traffic at the bottom of your rulebase. Enable logging on this policy to monitor what traffic is being denied. This will help you troubleshoot.

Make sure the retention period of your logs is long enough to support necessary regulations or personal policies. If needed, think about forwarding the logs to an external system.

For a more advanced approach enable Artificial Intelligence and other machine learning capabilities on your logs to find anomalies.

3) Auditing

The security of your firewall is heavily dependent on your rulebase. In an ever-changing IT environment where servers and clients come and go, a rulebase can quickly get outdated. Auditing your rulebase in a scheduled way may sound like a tedious task, it will, however, increase your security tremendously without the need for new or better hardware.

You can choose to audit manually and check the security policies for validity. Use the descriptions mentioned earlier to contact the business and see if policies are still needed.

There are also automated tools to help you find unused policies or highlight open policies which need a closer look. There are even tools which can help you build up a new, more secure rulebase built on baselining and machine learning. Keep in mind that a close relationship with the business will always be needed to help you rule out unwanted policies.

4) Zero trust and Temporary Rules

The notion that everything on the internal LAN can be trusted has long been outdated. The zero trust model is based on the principle: never trust, always verify. This means that a firewall should be placed on the inside of your network, and not only on the perimeter. A universal guideline for security policies should be a strict starting point.

Some examples:

Do your servers really need internet access? Operating system updates should be retrieved from a central Update server. Other software updates should be allowed on an IP or FQDN basis. There is no reason for servers to be able to browse the internet. If needed, create exceptions based on certain user credentials.

Limit 3d parties external access to restricted hosts only. Think about adding schedules to the policies. Does the contractor need access to your environment on a permanent basis? Phoning in to enable the account or security policy might be a more secure approach. Of course, this does add load to your operational team that needs to enable the policy if access is required.

The secure approach of blocking everything unless all parameters are known, might not be feasible in all situations. Security should not hinder operations, so temporary policies to keep business running may form a necessary evil. However, that does not mean a temporary policy should be there forever.

Apart from allowing unwanted traffic, temporary rules tend to become entangled in the security policy rulebase so that disabling them might cause multiple services to fail. Best practice should be to add time restrictions when creating a temporary policy which automatically disables the policy after a certain set time. This provides a defined timeframe to contact business and find out exactly what is needed or consult logging to refine your policy as strict as possible.

5) Next generation?

Use all the capabilities of your firewall and get the most out of your current infrastructure. This can range from simple DoS protection to more complex zero-day malware analysis. The term Next Generation Firewall is somewhat ambiguous, but for most vendors, this includes one or all of the following features:

Some form of IPS to scan for malware in all its forms.

Layer 7 Application awareness to gain visibility over what type of traffic is passing through your network.

Identification of the user instead of his IP address to increase accountability and differentiate rulebases on a need to access basis

SSL decryption to gain insight into encrypted traffic. Social media and personal e-mail are a huge attack factor. Decrypting this traffic is key for securing your infrastructure.

All these features can be used to optimize your rulebase and increase overall security considerably.

Conclusion:

Creating and maintaining a secure rulebase does not have to be a complex task. Use validated processes performed by knowledgeable people, to get the maximum security out of your chosen technology. Pay the necessary attention to the health of your rulebase because it could undermine all actions taken to help defend the enterprise.

And as always, don’t hesitate to contact SecureLink for additional information or help in maintaining your firewall rulebase as secure as possible.